Reputation: 27048
apigee oauth2 generates new access token everytime
I am trying my hands on apigee. I have configured a proxy with oauth2.0 security.
Everything works fine. But I noticed that a new access token is generated everytime I hit the oauth2/accesstoken endpoint, eventhough the previous one has not expired.
So as a consequence my endpoint is accessible with more than one token at a time. I am not an oauth2 expert, but isn't this a security risk? If we have so many accesstokens floating around. Please clarify.
Is this the usual implementation of every oauth2 server or is it specific to apigee and if so why?
My assumption is that for a particular client key/secret there would be only one valid access token at any given time and when this expires, the client should request for a new token using refresh token. Is this wrong?
Upvotes: 0
Views: 456
Answers (2)
Reputation: 378
Use ResponseCache policy for lookup/populate cache. It's a read through cache policy.
Upvotes: 1
Related Questions
- OAuth 2 Requesting a new Access Token uses up Refresh Token?
- Not Able to generate OAuth 2.0 Access Token in APIGee
- Expected behavior for repeated OAuth 2 access token request
- It is normal for an OAuth2 implementation to create a new access token every authentication?
- Refresh tokens in oauth2 should not be replaced when getting a new access token
- Apigee OAuth with REST authentication API
- Not ablle to receive token from OAuth authentication in Apigee tool
- Apigee: Add login with an existing OAuth 2.0 id-provider
- Apigee token management and username/password OAuth authentication
- Apigee 401 Unauthorized with token_expired